9bb7f71fba
* Updated default branch to main * Pin Pester version to 4.10.1 |
||
---|---|---|
.azure-pipelines | ||
.github | ||
.ps-rule | ||
.vscode | ||
docs | ||
src/PSRule.Rules.Kubernetes | ||
tests/PSRule.Rules.Kubernetes.Tests | ||
.gitignore | ||
.markdownlint.json | ||
CHANGELOG.md | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
LICENSE | ||
README.md | ||
RuleHelp.Doc.ps1 | ||
RuleToc.Doc.ps1 | ||
SECURITY.md | ||
build.ps1 | ||
pipeline.build.ps1 | ||
ps-project.yaml | ||
ps-rule.yaml |
README.md
PSRule for Kubernetes
A suite of rules to validate Kubernetes resources using PSRule.
Disclaimer
This project is to be considered a proof-of-concept and not a supported product.
For issues with rules and documentation please check our GitHub issues page. If you do not see your problem captured, please file a new issue and follow the provided template.
If you have any problems with the PSRule engine, please check the project GitHub issues page instead.
Getting the modules
This project requires the PSRule
PowerShell module.
You can download and install these modules from the PowerShell Gallery.
Module | Description | Downloads / instructions |
---|---|---|
PSRule.Rules.Kubernetes | Validate Kubernetes resources | latest / instructions |
Getting started
PSRule for Kubernetes provides two methods for analyzing Kubernetes resources:
- Pre-flight - Before resources are deployed from a YAML manifest file.
- In-flight - After resources are deployed to a Kubernetes cluster.
Offline with a manifest
Kubernetes resources can be validated within a YAML manifest file.
To validate Kubernetes resources use the Invoke-PSRule
cmdlet.
PSRule natively supports reading objects from YAML files using the -InputPath
parameter.
The -InputPath
parameter can be abbreviated to -f
.
For example:
Invoke-PSRule -f service.yaml -Module PSRule.Rules.Kubernetes;
The input path can be also be a URL to a YAML file. For example:
$sourceUrl = 'https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml';
Invoke-PSRule -f $sourceUrl -Module PSRule.Rules.Kubernetes;
The output of this example is:
TargetName: azure-vote-back
RuleName Outcome Recommendation
-------- ------- --------------
Kubernetes.API.Removal Fail Consider updating resource deployments to use newer API endpoints prior…
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
Kubernetes.Pod.PrivilegeEscalation Fail Containers should deny privilege escalation.
Kubernetes.Pod.Latest Fail Deployments or pods should identify a specific tag to use for container…
Kubernetes.Pod.Resources Fail Resource requirements are set for each container.
Kubernetes.Pod.Secrets Pass Use Kubernetes secrets to store information such as passwords or connec…
Kubernetes.Pod.Health Fail Containers should use liveness and readiness probes.
Kubernetes.Pod.Replicas Fail Consider increasing replicas to two or more to provide high availabilit…
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
TargetName: azure-vote-front
RuleName Outcome Recommendation
-------- ------- --------------
Kubernetes.API.Removal Fail Consider updating resource deployments to use newer API endpoints prior…
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
Kubernetes.Pod.PrivilegeEscalation Fail Containers should deny privilege escalation.
Kubernetes.Pod.Latest Pass Deployments or pods should identify a specific tag to use for container…
Kubernetes.Pod.Resources Fail Resource requirements are set for each container.
Kubernetes.Pod.Secrets Pass Use Kubernetes secrets to store information such as passwords or connec…
Kubernetes.Pod.Health Fail Containers should use liveness and readiness probes.
Kubernetes.Pod.Replicas Fail Consider increasing replicas to two or more to provide high availabilit…
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
Online with kubectl
Kubernetes resources can be validated directly from a cluster using the output from kubectl
.
To validate resources using kubectl
, return the output as YAML with the -o yaml
parameter.
For example:
kubectl get services -o yaml | Out-String | Invoke-PSRule -Format Yaml -ObjectPath items -Module PSRule.Rules.Kubernetes;
In the example above:
Out-String
- is used to concatenate the output into a single string object.-Format Yaml
- indicates that the input is YAML.-ObjectPath items
- indicates that the input nests objects to evaluate under theitems
property.
Using baselines
PSRule for Kubernetes comes with the following baselines:
Kubernetes
- Includes common Kubernetes rules. This is the default.AKS
- Includes all the rules fromKubernetes
plus additional Azure Kubernetes Service (AKS) specific rules.
To use the AKS
baseline instead of the default use Invoke-PSRule -Baseline AKS
.
For example:
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Baseline AKS;
If -Baseline AKS
is not specified, the default baseline Kubernetes
will be used.
Additional options
To filter results to only failed rules, use Invoke-PSRule -Outcome Fail
.
Passed, failed and error results are shown by default.
For example:
# Only show failed results
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Outcome Fail;
A summary of results can be displayed by using Invoke-PSRule -As Summary
.
For example:
# Display as summary results
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -As Summary;
The output of this example is:
RuleName Pass Fail Outcome
-------- ---- ---- -------
Kubernetes.API.Removal 0 2 Fail
Kubernetes.Metadata 0 4 Fail
Kubernetes.Pod.PrivilegeEscalation 0 2 Fail
Kubernetes.Pod.Latest 1 1 Fail
Kubernetes.Pod.Resources 0 2 Fail
Kubernetes.Pod.Secrets 2 0 Pass
Kubernetes.Pod.Health 0 2 Fail
Kubernetes.Pod.Replicas 0 2 Fail
Rule reference
For a list of rules included in the PSRule.Rules.Kubernetes
module see:
Changes and versioning
Modules in this repository will use the semantic versioning model to declare breaking changes from v1.0.0. Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments. For a list of module changes please see the change log.
Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as standard releases are made available.
Contributing
This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Maintainers
License
This project is licensed under the MIT License.